contour
contour copied to clipboard
Support standard Forwarded header
As far as I can see the ingess controller currently just supports the "non-standard" X-Forwarded-* headers. It would be nice to support also the standard Forwarded header.
Use case Keycloak has added support for the Forwarded header with version 21.0.0 and advices reverse-proxies to override this header.
Support in the nginx ingress controller is currently added, too: https://github.com/kubernetes/ingress-nginx/pull/10322
Hey @PSanetra! Thanks for opening your first issue. We appreciate your contribution and welcome you to our community! We are glad to have you here and to have your input on Contour. You can also join us on our mailing list and in our channel in the Kubernetes Slack Workspace
I think this would rather be a request for Envoy as also the existing X-forwarded-*
logic is implemented there.
With a quick glance at the proposed NGINX approach, it seems to use configuration approach, with some limitations mentioned in the warning of the wiki article.
I think proper parsing would rather be done in C++ in Envoy.
As pointer for those who are looking for the workaround: overriding the header can be done using request rewriting: (1) use httpproxy.spec.routes.requestHeadersPolicy.remove
to remove Forwarded
header, or alternatively, maybe attempt to trivially (2) use requestHeadersPolicy.set
to set the header to for=%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%
(link)
Coincidentally , I've written an issue for Keycloak https://github.com/keycloak/keycloak/issues/23431 😅
Thank you @tsaarni for that suggestion!
I think I will set that header in the bitnami Helm chart globally like this:
configInline:
policy:
applyToIngress: true
request-headers:
set:
Forwarded: "for=%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%;host=%REQ(Host)%;proto=%PROTOCOL%"
The Contour project currently lacks enough contributors to adequately respond to all Issues.
This bot triages Issues according to the following rules:
- After 60d of inactivity, lifecycle/stale is applied
- After 30d of inactivity since lifecycle/stale was applied, the Issue is closed
You can:
- Mark this Issue as fresh by commenting
- Close this Issue
- Offer to help out with triage
Please send feedback to the #contour channel in the Kubernetes Slack
The Contour project currently lacks enough contributors to adequately respond to all Issues.
This bot triages Issues according to the following rules:
- After 60d of inactivity, lifecycle/stale is applied
- After 30d of inactivity since lifecycle/stale was applied, the Issue is closed
You can:
- Mark this Issue as fresh by commenting
- Close this Issue
- Offer to help out with triage
Please send feedback to the #contour channel in the Kubernetes Slack